Microsoft is warning that attackers can hijack AI agents through poisoned tool descriptions, the plain-text notes that tell an agent what a tool does. Because agents connect to systems through the Model Context Protocol and read these descriptions to decide how to act, an attacker who updates a trusted third-party tool can bury a hidden instruction in its description, telling the agent to quietly collect and exfiltrate data on its next task. Many setups pick up description changes without re-approval, so the poisoned version goes live silently. Each step the agent takes looks legitimate and runs with the user's own permissions, so no alarm fires.
Security firm AIR showed how easily AI agent skills can be weaponized by building a benign-looking design skill, publishing it to marketplaces, and promoting it with an Instagram ad until it reached roughly 26,000 agents, including some on corporate accounts. Every skill-scanning tool they tested, including offerings from Cisco and Nvidia, marked it safe. The trick is that the skill itself stays clean but tells the agent to fetch instructions from an external page the attacker controls, which passes review while pointing at harmless content and can be swapped for a malicious install script later. Skills load into an agent with the same authority as a user's prompt.